ASA minimum throughput

lcaruso — Mon, 11 Mar 2019 20:32:25 GMT

Hi,

I need a firewall that has an absolutely worst case throughput of 500Mb/s sustained with all security features enabled.I'm looking at the 5550 platform as meeting this requirement, but would like comments.

Does the way Cisco specs their throughput with vpn throughput accurately represent this worst case?

If the 5550 vpn throughput is 425Mb/s, does that mean if all traffic was vpn traffic that is what I'd be guranteed to get?

Do they mean that worst case is when all connections are vpn?

Appreciate if someone can clear me up on the worst case throughput specification. Thanks.

Re: ASA minimum throughput

Maykol Rojas — Wed, 11 May 2011 23:33:37 GMT

Hi,

I would suggest you to contact your Account manager from Cisco that can provide you the best option, based on tested scenarios and so on. Here is an extract of what I consider, by far the best document that explains causes of oversubscription

"....Let's use the ASA5510 as an example. Its name throughput is 300Mbps, as we see on the table above. So the question is, "if my ASA5510 sees about 280Mbps should it be 100% CPU or not?". A quick answer would be "No". Though, we must not forget that there are many factors involved in this question. In the network industry name speeds of devices come out under certain tests. These tests are repeated and an average is presented as the maximum speed. Though, not always is "real-world" traffic the same traffic as the one used in the tests. We could use the aforementioned ASA5510 for example. Usually, the name speed tests involve stateless protocols with big packets. For a TCP web browsing application though, the packets are much smaller and TCP uses ACKs and is a "synchronized" protocol by nature. That would add more load to the firewall itself, which would make its maximum throughput value drop. On top of that, if the ASA has http inspection configured (which will do deep packet inspection for http) then we understand that its maximum processing throughput would be less than 280Mbps. It is obvious that even though 300Mbps is indeed the throughput the device can achieve, its real-world throughput, based on applications, traffic nature and configuration could practically be less. That is why in our performance documents we also try to provide other metrics. These include the "packets per seconds" (pps) and what is often seen as "real-world HTTP". For example in the ASA table we can see that the 5510 can do 190K pps (small 64-byte packets). These metrics could also be used against the interface statistics collected from the device in order to decide if the box is pusehd to its limits...."

https://supportforums.cisco.com/docs/DOC-12439

My point is, not because it is documented, it means that is going to support that amount of traffic, it does have a number of variables that need to be taken in consideraration.

Cheers.

Mike

Re: ASA minimum throughput

lcaruso — Thu, 12 May 2011 00:20:41 GMT

Many thanks for your help on this!

topic Re: ASA minimum throughput in Network Security

ASA minimum throughput

Re: ASA minimum throughput

Re: ASA minimum throughput